Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2025-12689 DoS in Calls plugin via malformed UTF-8 in WebSocket request — MattermostCWE-1287 6.5 Medium2025-12-17
CVE-2025-62690 Open redirect in error page when link opened in new tab — MattermostCWE-601 3.1 Low2025-12-17
CVE-2025-13352 Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking — MattermostCWE-1287 3.0 Low2025-12-17
CVE-2025-62190 CSRF Allows Call Initiation and Message Delivery — MattermostCWE-352 4.3 Medium2025-12-17
CVE-2025-13870 Unauthorized access and subscription vulnerability in Boards — MattermostCWE-306 3.1 Low2025-12-02
CVE-2025-12756 Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion — MattermostCWE-863 4.3 Medium2025-12-01
CVE-2025-12421 Account Takeover via Code Exchange Endpoint — MattermostCWE-303 9.9 Critical2025-11-27
CVE-2025-12559 Information Disclosure in Common Teams API — MattermostCWE-200 4.3 Medium2025-11-27
CVE-2025-12419 Account takeover on OAuth/OpenID-enabled servers — MattermostCWE-303 9.9 Critical2025-11-27
CVE-2025-55074 Channel member objects leak read status — MattermostCWE-1426 3.0 Low2025-11-18
CVE-2025-11794 Password hash and MFA secret returned in user email verification endpoint — MattermostCWE-200 4.9 Medium2025-11-14
CVE-2025-55073 MS Teams plugin OAuth allows editing arbitrary posts — MattermostCWE-306 5.4 Medium2025-11-14
CVE-2025-55070 Lack of MFA enforcement in WebSocket connections — MattermostCWE-306 6.5 Medium2025-11-14
CVE-2025-41436 Unauthorized access to archived channel content via threads interface — MattermostCWE-863 3.1 Low2025-11-14
CVE-2025-11776 Guest user can discover archived public channels — MattermostCWE-863 4.3 Medium2025-11-14
CVE-2025-59480 Inadequate validation of SSO redirect credentials permits credential theft — MattermostCWE-352 6.1 Medium2025-11-13
CVE-2025-11777 Cross-team channel membership access — MattermostCWE-863 3.1 Low2025-11-13
CVE-2025-55035 Mattermost Desktop DoS when user has basic authentication server configured — MattermostCWE-754 6.1 Medium2025-10-16
CVE-2025-58073 Arbitrary Mattermost Team can be joined by manipulating the OAuth state — MattermostCWE-862 8.1 High2025-10-16
CVE-2025-41410 Slack import bypasses email verification for team access controls — MattermostCWE-862 5.4 Medium2025-10-16
CVE-2025-10545 Guest user can add unauthorized team users to private channels — MattermostCWE-863 3.1 Low2025-10-16
CVE-2025-58075 Arbitrary Mattermost Team can be joined by manipulating the SAML RelayState — MattermostCWE-862 8.1 High2025-10-16
CVE-2025-54499 Insecure string comparison enables timing attacks — MattermostCWE-208 3.1 Low2025-10-16
CVE-2025-41443 Guest user can discover active public channels — MattermostCWE-862 4.3 Medium2025-10-16
CVE-2025-58084 Mattermost Desktop App crashes when clicking on malformed external URL — MattermostCWE-1287 3.5 Low2025-10-13
CVE-2025-9081 IDOR in board file download allows any user to download any file by UUID — MattermostCWE-639 3.1 Low2025-09-19
CVE-2025-9079 Admin RCE via prepackaged plugins by way of misconfigured imports directory — MattermostCWE-22 8.0 High2025-09-19
CVE-2025-9072 One-Click Mattermost Account Takeover via Poisoned RelayState SAML Parameter — MattermostCWE-601 7.6 High2025-09-15
CVE-2025-9084 Open redirect in OAuth login — MattermostCWE-601 3.1 Low2025-09-15
CVE-2025-9078 Weak cache keys lead to post IDOR and link preview poisoning — MattermostCWE-328 4.3 Medium2025-09-15

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.